Professional Documents
Culture Documents
Contents
1. Introduction .....................................................................................................1
2. Popular methods of virus detection..............................................................3
2.1 Simple signature scanning ..........................................................................3
2.2 Generic signature scanning.........................................................................4
2.3 Integrity checking ........................................................................................4
2.4 Heuristic scanning .......................................................................................5
2.5 Behavior monitoring ....................................................................................7
2.6 Generic scanning ........................................................................................7
2.7 Resident scanning.......................................................................................7
3. Limitations of conventional scanning methods...........................................8
3.1 Time lag between virus creation and detection ...........................................8
3.2 Problem of updating signature database.....................................................9
3.3 Limitations of signature scanning ..............................................................10
3.4 Burden of scanning time and resource......................................................11
3.5 Limitations of integrity checking.................................................................12
3.6 Limitations of static heuristic scanning ......................................................12
3.7 Limitations of emulation technique ............................................................13
3.8 Vulnerability of anti-virus programs ...........................................................13
3.9 Other problems in scanning.......................................................................14
4. Summary .......................................................................................................14
Glossary: ...........................................................................................................15
Reference: .........................................................................................................15
1. Introduction
Computer viruses are manmade destructive computer programs which are
intentionally made to infect computer systems and cause trouble for innocent
computer users. A computer virus is generally loaded onto a computer system
without the knowledge of a user. It causes unauthorized and unwanted changes
to the components of the computer or to the information stored on the computer.
Electronic
Electroniccopy
copyavailable
availableat:
at:https://ssrn.com/abstract=1916708
http://ssrn.com/abstract=1916708
The creation of viruses started during mid 1980’s, when the use of PCs started to
grow for businesses and homes. As the computer games were very popular, and
applications like word processors and spreadsheets were of high demand, the
viruses were spreading by attaching themselves to those games and programs.
As the floppies were predominantly used for data transfer, the virus makers were
creating viruses revolving around the floppy usage.
Later in 1995 a new type of virus, called macro virus, came into picture. These
viruses are called macro viruses as they are written in macro languages. Macros
are small executable programs which are included in document files like
Microsoft word. These later day viruses spread mainly through emails and
Internet. Obviously the later day viruses are more intelligent and powerful. (Note:
read more on viruses in “Introduction to Computer Viruses” published in this
month.)
Electronic
Electroniccopy
copyavailable
availableat:
at:https://ssrn.com/abstract=1916708
http://ssrn.com/abstract=1916708
When we install an anti-virus it first scans the main memory of the computer and
then all external storage devices to detect presence of any virus. If any virus is
detected, the anti-virus tries to remove the virus and restores the infected file to
its original stage. If the file is too much damaged by the virus then the anti-virus
may decide to delete the infected file. (Note: read more on virus scanners in
“Introduction to Virus Scanners” published in this month.)
⇛ Signature scanning
⇛ Integrity checking
⇛ Heuristic scanning
⇛ Emulations
⇛ Activity monitoring
In contrast, a generic signature uses the pattern found in a family of viruses. This
is a quicker method to detect all the viruses belonging to the same family. This
method works, as most viruses are not originally programmed rather created by
modifying the code of previously existing viruses. In such cases a lot of
similarities are found between the main virus and its variants. The generic
signatures use various wildcards to detect all the variants of a virus family. This
method is also capable of detecting new and future viruses of the same family. A
generic signature scanning is also called as heuristic signature scanning.
As the heuristic method does not use virus signatures it can detect new and
unknown viruses that have not yet been analyzed by antivirus researchers.
Because the heuristic technique does not use integrity information, it does not
require the fingerprints of programs to be taken and saved when the computer is
in a known clean state.
In static heuristic virus detection, the antivirus program searches the instructions
of a target program for sequences of instructions that perform operations typically
used by viruses. Unlike virus signatures, these sequences are not designed to be
specific to a single virus. Instead, they are meant to be as general as possible in
order to detect the operation of many different viruses.
For example, if the static heuristic antivirus program finds a file open operation,
followed by file read and write operations, and also finds a string "VIRUS" in the
program, it may report that the file is infected by an unknown virus. Static
heuristic detection is generally fast and often performed before CPU emulation.
On the other hand, the dynamic heuristic detection uses an emulation based
technology which loads the target program into a software-based CPU emulator.
The CPU emulator acts as a simulated virtual computer. The program is allowed
to execute freely within this virtual computer. As the target program is emulated,
its virus-like operations are identified and catalogued. From this catalog of virus
As the conventional signature scanning does not work for polymorphic and
metamorphic viruses, many anti-virus programs use an emulation-based
technology to detect those viruses. This method also works for encrypted
viruses.
Because of this time gap between virus creation and possible detection, the new
viruses, which are not included in the virus definition database, are not
detectable by this method. If the gap is more then there is more possibility of
creation and spreading of new viruses.
Overcoming limitations:
⇛ The anti-virus companies may adopt various methods, (such as, using
automated techniques to extract signatures, submitting virus instances by
the customers, etc.) to reduce this time lag between creation of viruses
and distribution of their signatures.
Now what exactly is the problem of updating the signature database? The
signature database has to be updated by both the anti-virus company and the
anti-virus user. The anti-virus company may do it for a commercial objective, but
the end user must go through this pain just to stay safe from viruses. If the
signature database is not updated then a full scanning even does not guarantee
that the computer is free from viruses.
Overcoming limitations:
⇛ The job of analyzing virus characters and extracting virus signatures can
be expedited by using automated techniques (TRIZ Principle-25: Self
Service). Human researchers may analyze the code only if a potential
virus is unable to be handled by the automated systems.
⇛ Scanning generic signatures can detect unknown viruses. Not all viruses
are created originally. Many virus writers modify the codes of other viruses
and create dozens of similar viruses. In such cases, the anti-virus
researchers try to find the common signatures which can detect all the
viruses in a family share, instead of finding individual signatures for each
single breed.
⇛ The polymorphic, metamorphic and other such viruses, which cannot be
detected by signature scanning, can be detected by using other methods
like, behavior monitoring and Integrity checking (TRIZ Principle-6:
Universality).
Overcoming limitations:
⇛ One of the techniques to improve scanning speed is by scanning only
those viruses according to the type of files. For example, a boot sector
signature would not be used to scan a macro file. This method reduces
the total number of search operations and reduces the scanning time.
⇛ Another technique is to scan only the specific area of a file instead of
scanning the whole file. For example, depending on the file type, such as,
.com or .doc, the scanners can decide which areas of the file are more like
to contain a virus. This method avoids the scanner to search through the
complete file looking for infection.
⇛ Patent 5684875 (invented by Hans Ellenberger, Nov 1997) suggests not
to run all the detection algorithms at a time which could take long time to
scan. It suggests to select only one or a few algorithms to run each time
the scanner is loaded, either randomly or by some other selection criteria.
Even if a virus could not be detected by a few of these detection
algorithms, the chance for its survival is very low as it could be detected
by another algorithm.
⇛ Patent 7036147 (invented by Hursey, assignee McAfee, April 2006)
discloses a method of accelerated scanning by assigning the scanning job
to two different threads. The invention executes two threads in parallel, a
first thread to read the data and a second thread for scanning the data.
The first thread of operation is executed in parallel with the second thread
in such that while a first portion of the data is being scanned, a second
portion of the data to be scanned is being read and cached. This method
avoids the delay caused by disk read operations.
Overcoming limitations:
In order to avoid the above problem some anti-virus systems follow a time-out
mechanism to exit or abort a prolonged virus scanning operation.
4. Summary
The main functions of an anti-virus program are virus prevention and file
protection, virus scanning and detection, removing virus from infected files and
recovering damaged files and objects.
Signature scanning (or searching of known virus patterns) is the most common
method of virus detection. But it cannot detect viruses whose signatures are not
available in the virus database. The other popular method is to use a heuristic
algorithm to find viruses based on common behaviors. This method can be
complex, but it has the ability to detect unknown or new viruses. Integrity
checking is another generic method but it can only be applied for specific types of
files which are not generally changed by user operations.
Glossary:
# Virus Signature – is a sequence of bytes that may be found in a virus
program code but unlikely to be found elsewhere.
# Heuristic scanning- the method of searching for virus like behavior.
# On-access scanning- the method of scanning a file when it is requested
for opening.
# On the fly scanning – scanning when an email or file is on the way before
it is finally opened, similar to on-access scanning.
# Virus database – the database containing information such as signatures,
behaviors and removal methods of known viruses.
# Companion viruses – viruses that spread via a file which runs instead of
the file the user intended to run and then runs the original file.
# Armoured viruses – viruses that are specifically written to make it difficult
for an antivirus researcher to find out how they work and what they do.
Reference:
1. Umakant Mishra, “An Introduction to Computer Viruses”, trizsite journal, Feb 2007,
http://www.trizsite.com/articles.
2. Umakant Mishra, “An Introduction to Virus Scanners”, trizsite journal, Feb 2007,
http://www.trizsite.com/articles.
3. US Patent 6357008, “Dynamic heuristic method for detecting computer viruses using
decryption exploration and evaluation phases”, Inventor- Nachenberg, assignee Symantec
Corporation, March 2002.